XP 1800+ has got odd problem, when rebooted the time is changed. If I do restart change is only a few minutes, if I leave it switched off for 1 hour or more, time and date maybe different, by seveal hours. For example: switch off 9pm 20/march. Switch on 9:05pm 20/march, date and time = 19/march-17:20. Restart and the time stays close at 8:45pm. Date = 19/march.

Otherwise ok, running ZA-free, Kav-pers, Trojan hunter, BOClean. Scanned also with NOD32 and Avast via networked pc. Was running RAV also for 30 days. Spybot, regclean, sfc all ok. Windows update ok. XPantispy ran also.
Easycleaner does see 6 entries in registry that are unknown to me, all start
HKEY-LM/software/Microsoft /WBEM/WDM. any ideas?

I delete them then restart with disk cleanup etc..
But still wierd time displayed.

Any clues? NB: using seperate pc to send this..

Hi Felicity,

I thought of a few possibilities. All very unlikely, but I can´t think of anything you haven´t already checked.
-It could be your motherboard battery, but the time would only be lagging behind more and more as far as I know.
-The keys EasyCleaner found would indicate different user profiles. Again, very unlikely, since these wouldn´t be on a different time/date.

Although you seem to have checked everything I would like to see your StartUpList.
Could you please download HijackThis (http://www.tomcoyote.org/hjt/).
Unzip and Run it. Click Config > Misc Tools > Generate Startuplist and post the contents of the .txt file that is generated.
Maybe that will learn us some more.

Regards,

Pieter

This is it... thanks in advance for looking...

StartupList report, 22/03/2003, 21:55:32
StartupList version: 1.52
Started from : C:\Program Files\Hijack\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\BOClean.exe
C:\Program Files\TrojanHunter 2.5\THGuard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\AvpM.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\PROGRA~1\NSClean\BOClean\BOCSEC.EXE
C:\Program Files\Hijack\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Kaspersky Anti-Virus Monitor.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\AvpM.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
BOCleanautostart = BOClean.exe
THGuard = "C:\Program Files\TrojanHunter 2.5\THGuard.exe"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2003030601/housecall.antivirus.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37666.5453009259

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 3,962 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Hi Felicity,

My compliments. That´s the cleanest StartUpList I´ve seen in a long time. 8)
Do you use multiple user profiles on that computer and, if so, are the other ones having the same problem?

Regards,

Pieter

Yes to multiple user accounts, me = admin plus 3 other limited. One of them does have the same problem. Other two don't know, not used.

Battery - unlikely, 3 months old pc. No other symptoms, all progs running ok.

Is trojan/virus possible?

Hi Felicity,

If you do have a trojan or virus I don´t see it running.
You could check your Services to see if anything strange is going on in there.
Start > Control Panel > Adminstrative Tools > Services
While you are in the Administrative tools have a look at your logs (Event viewer) as well to see if any alarms are logged there.

Since it is only three months old, I would consider bringing it in to the shop and let them have a look.
Back up your important data before you do so however.

Regards,

Pieter

Hi Felicity,

Any news?
My fellow Moderators gave me a few more things you could have a look at to solve your problem:

- When you are looking at the Services find Windows Time, rightclick it, choose Properties and set it to disabled.
- In Trojan Hunter, try enabling the Shutdown Protection.
- If you are using a router, check if it is equipped with time-sync.

Regards,

Pieter

Thanks, I'll try them and let you know.

Hi Felicity,

Just some side-notes:

I guess you are aware that you are running two resident AT's: BOClean and TrojanHunter-Guard.
Usually it is not adviced to use two resident AV's or AT's.
But in this case (BOClean and TH-Guard) it looks like there is no problem having them both resident, because they work in a different way. I have tried it yesterday on my W 98 SE system, no problem so far. (just the same as with BOClean and Execution Protection, the resident part of TDS-3: no problem to have them both "running"; but I myself have more experience with these two and I am more sure about no conflict between those two).

Pieter's advice about the Shutdown Protection of TH was merely meant to make you aware of that option in TH.